1. Who We Are ConnectLead (“we”, “our”, “us”) is a trading name of Digital Rebel Ltd., 30 Queen Square, Bristol BS1 4ND, United Kingdom. We provide an autonomous, AI‑driven Sales Development Representative (“AI SDR”) platform that plans, sends and refines outbound sales communications on your behalf.

Contact: privacy@connectlead.co

2. Scope This policy describes how we collect, use and protect personal data when you:

Sign up for a ConnectLead workspace

Upload or synchronise leads, email templates or “winning emails”

Connect your own SMTP / IMAP accounts (“BYOE”)

Interact with our website, app or support channels

It also covers data processed by our AI models (OpenAI or compatible providers).

3. What We Collect Category Examples Source Account Data Name, email, password hash, billing details Direct Lead Data Prospect name, company, title, email, LinkedIn URL, enrichment fields CSV upload, API enrichment (Apollo, Clearbit, People Data Labs) Message Data Outbound emails, AI‑generated drafts, inbound replies, open/click events Your SMTP/IMAP integration Usage Data Log‑ins, feature clicks, plan/act/reflect metrics App telemetry “Winning Emails” User‑uploaded high‑performance copy Direct

We do not intentionally collect special‑category data.

4. How We Use Data Purpose Legal Basis (GDPR) Provide and bill the service Contract performance Enrich leads and generate personalised outreach Legitimate interest Train & fine‑tune AI models within your workspace only Legitimate interest + consent (opt‑in) Detect spam, bounces, deliverability issues Legitimate interest Send product updates & marketing (opt‑out) Consent / Legitimate interest Comply with legal requests Legal obligation

We do not sell your data.

5. AI Processing Specifics Drafts, replies and reflection prompts are sent to OpenAI (or the LLM provider you select).

We set data_usage_opt_out=true, meaning OpenAI will not use your content to train their public models.

Embeddings for “winning emails” are stored in pgvector inside our Postgres cluster or your dedicated instance.

6. Data Retention Data Type Retention Account & billing While account is active + 6 yrs (tax) Lead & message logs 24 months (configurable in app) AI prompts & outputs 12 months (for audit) Email opens / clicks 90 days

You may trigger deletion earlier via Settings → Data Controls or by emailing privacy@connectlead.co.

7. Sharing & Sub‑Processors Purpose Provider Location Safeguards App hosting Vercel EU/US SCCs DB & Realtime Supabase (Postgres, pgvector) EU SCCs AI inference OpenAI, Anthropic, Groq (configurable) US/EU SCCs + data‑usage opt‑out Mailing Resend (transactional), Postmark EU/US SCCs Payment Stripe US/EU PCI‑DSS

A full, always‑current sub‑processor list is available at connectlead.co/subprocessors.

8. Security Measures TLS 1.2+ in transit; AES‑256 at rest

OAuth or encrypted storage for BYOE SMTP/IMAP creds

Role‑based access control & MFA for staff

Continuous penetration testing and automated dependency scanning

ISO 27001 certification in progress (target Q4 2025)

9. International Transfers Data may be transferred outside the UK/EU to providers listed above. Standard Contractual Clauses (SCCs) and supplementary measures are in place.

10. Your Rights (GDPR / UK‑GDPR) Right to access / rectify / erase your personal data

Right to restrict or object to processing

Right to data portability

Right to lodge a complaint with the ICO (UK) or your local supervisory authority

Email privacy@connectlead.co to exercise these rights.

11. California (CCPA/CPRA) We are a “service provider.” We do not sell or share personal information as defined by CCPA. You may request disclosure or deletion via the email above.

12. Children ConnectLead is not directed to anyone under 16. We do not knowingly collect children’s personal data.

13. Changes to This Policy We may update this policy periodically. Material changes will be emailed to account owners and posted on the dashboard 30 days before they take effect.